A phishing operation has cut and pasted components of at least five other phishing kits to create its own attack platform, sending out password-reset and fax-and-scanner notifications in significant campaigns earlier this year, according to researchers with the Microsoft 365 Defender Threat Intelligence Team.
The TodayZoo kit, as Microsoft dubbed the framework, appears to extensively use code from another kit, known as DanceVida, while other components significantly match the code from at least five other phishing kits. Microsoft first discovered the phishing kit in December 2020, but a series of major campaigns in March and June 2021 attempted to steal credentials from Microsoft users, leading the company's threat intelligence team to analyze the kit.
Calling the cybercriminal tool a "Franken-phish" because of its use of parts from other phishing kits, the kit seems to bring together different components of other phishing tools rather than use a phishing-as-a-service offering, says Tanmay Ganacharya, partner director for security research at Microsoft Defender.
"Ultimately, phishing kits — similar to malware — are increasingly modular and sometimes defy clean family attribution as a result," he says. "Other kits that are similar and have shared code are also well-protected at this time, but we see new kits and phish pages daily that defy standard naming as they morph so quickly."
Phishing continues to be an extremely popular way of harvesting sensitive information and legitimate credentials from unwary users. Successful attacks are less likely to come through an e-mail client and more likely to target mobile users, according to a report released this week by Jamf, a provider of enterprise management tools for Apple computers and devices. Around 10% of users on mobile devices have clicked on a phishing link in the past year, an increase of 160% over the past 12 months, the company states in its "Phishing Trends Report 2021."
The most popular brands targeted by phishing attacks in 2021 included Apple, PayPal, Amazon, and Microsoft, the report states.
"Phishing attack delivery has evolved far beyond poorly-worded emails offering 'unclaimed lottery winnings,'" the Jamf report states. "They are not only more personalized and more convincing, they are reaching users in more places than ever before and increasingly going beyond consumers to target business credentials and data."
Phishing Kits Up Close
Phishing kits typically have three major components: an imitation capability that creates login pages that match closely to a targeted brand; a set of features that obfuscate the malicious code in the pages, which also includes anti-analysis features; and code that harvests credentials, or other sensitive information, from the user and sends it back to the attacker.
In its analysis, Microsoft found TodayZoo and DanceVida had about a 30% to 35% overlap between the code included in the two kits. The two codebases diverged significantly in how they handled credential harvesting.
"[B]ecause of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, we believe that the actors behind it came across an old phishing kit template and replaced the credential harvesting part with its own exfiltration logic to make TodayZoo solely for their nefarious purposes," according to the Microsoft researchers.
The TodayZoo campaigns all used the same four-step attack, sending e-mail to targeted users who then would be redirected to an initial page. Then victims' browsers were redirected to a second page, which then sent the victim to a final landing page hosted by — in almost every case — service provider Digital Ocean.
"[T]his research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit 'families,'" the Microsoft analysis states. "While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves."
The code for TodayZoo, and the scripts used to create its pages, had a large number of artifacts left over from the original source of the code, according to Microsoft. Such dead links and callbacks to other kits may indicate that many phishing kit distributors and phishing operators are quickly grabbing pieces of code from available sources to build their tools, Microsoft says.
"We will likely see more cobbled-kits in the future, as well as more effective kits in general as some of the more generic [and] obvious ones fall out of use in favor of more evasive kits that bypass sandbox evasion, incorporate CAPTCHAs, encode source, or use separate programming languages or resource types," says Phillip Misner, principal security group manager at Microsoft.
Misner warned that credential phishing will continue to be a danger to businesses, especially if companies do not adequately filter out suspicious e-mail messages and senders. Businesses should consider adopting multifactor authentication and harden the configurations for their mail servers to make phishing attacks more difficult, he says.